[Libreoffice-bugs] [Bug 127309] New: -fsanitize=float-cast-overflow of nRepeats from -1.0 to sal_uInt32 in SimpleContinuousActivityBase::perform
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Tue Sep 3 12:10:06 UTC 2019
https://bugs.documentfoundation.org/show_bug.cgi?id=127309
Bug ID: 127309
Summary: -fsanitize=float-cast-overflow of nRepeats from -1.0
to sal_uInt32 in SimpleContinuousActivityBase::perform
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Impress
Assignee: libreoffice-bugs at lists.freedesktop.org
Reporter: sbergman at redhat.com
CC: thb at libreoffice.org
At least with a recent Linux ASan+UBSan master build, with
Contoso-Presentation.pptx as obtained from bug 127258 comment 0, "Slide Show -
Start from First Slide" and then pressing space bar four times to go past the
first effect on the third slide, sometimes causes
[...]
> debug:16922:16922: SBSBSB.1 -0.757713 0.5 -1.51543
> debug:16922:16922: SBSBSB.2 1 1
> debug:16922:16922: SBSBSB.8 -0.515426 -1
> debug:16922:16922: SBSBSB.10 -1
> slideshow/source/engine/activities/simplecontinuousactivitybase.cxx:241:53: runtime error: -1 is outside the range of representable values of type 'unsigned int'
> #0 in slideshow::internal::SimpleContinuousActivityBase::perform() at slideshow/source/engine/activities/simplecontinuousactivitybase.cxx:241:53 (instdir/program/../program/libslideshowlo.so +0x134b4b2)
> #1 in slideshow::internal::ActivitiesQueue::process() at slideshow/source/engine/activitiesqueue.cxx:103:44 (instdir/program/../program/libslideshowlo.so +0x133aadc)
> #2 in (anonymous namespace)::SlideShowImpl::update(double&) at slideshow/source/engine/slideshowimpl.cxx:1977:31 (instdir/program/../program/libslideshowlo.so +0x18550e5)
> #3 in sd::SlideshowImpl::updateSlideShow() at sd/source/ui/slideshow/slideshowimpl.cxx:1673:21 (instdir/program/../program/libsdlo.so +0x4a14de8)
> #4 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:479:20 (instdir/program/libvcllo.so +0x7b5ab95)
> #5 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:761:45 (instdir/program/libvclplug_gtk3lo.so +0xd60d41)
> #6 in g_main_dispatch at ../glib/gmain.c:3189:28 (/lib64/libglib-2.0.so.0 +0x4fedc)
> #7 in g_main_context_dispatch at ../glib/gmain.c:3854:7 (/lib64/libglib-2.0.so.0 +0x4fedc)
> #8 in g_main_context_iterate at ../glib/gmain.c:3927:5 (/lib64/libglib-2.0.so.0 +0x5026f)
> #9 in g_main_context_iteration at ../glib/gmain.c:3988:12 (/lib64/libglib-2.0.so.0 +0x50312)
> #10 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtk3gtkdata.cxx:528:31 (instdir/program/libvclplug_gtk3lo.so +0xd5bb41)
> #11 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:447:48 (instdir/program/libvcllo.so +0x7be6b9a)
> #12 in Application::Yield() at vcl/source/app/svapp.cxx:511:5 (instdir/program/libvcllo.so +0x7be60e9)
> #13 in Application::Execute() at vcl/source/app/svapp.cxx:428:9 (instdir/program/libvcllo.so +0x7be60e9)
> #14 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1620:17 (instdir/program/libsofficeapp.so +0x732047)
> #15 in ImplSVMain() at vcl/source/app/svmain.cxx:191:35 (instdir/program/libvcllo.so +0x7c40097)
> #16 in soffice_main at desktop/source/app/sofficemain.cxx:177:12 (instdir/program/libsofficeapp.so +0x83c920)
> #17 in sal_main at desktop/source/app/main.c:48:15 (instdir/program/soffice.bin +0x32502a)
> #18 in main at desktop/source/app/main.c:47:1 (instdir/program/soffice.bin +0x32502a)
> #19 in __libc_start_main at /usr/src/debug/glibc-2.29-24-g2ec0b166bf/csu/../csu/libc-start.c:308:16 (/lib64/libc.so.6 +0x23f32)
> #20 in _start at <null> (instdir/program/soffice.bin +0x24e02d)
>
> SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow slideshow/source/engine/activities/simplecontinuousactivitybase.cxx:241:53 in
(with "SBSBSB..." SAL_DEBUG output produced via the patch given below).
It looks like a negative nT leading to a negative nRepeats is not actually
expected here? (Where the negative maTimer.getElapsedTime() is presumably
caused by calls to
> mpTimer->adjustTimer( -fLag );
in ActivitiesQueue::process, slideshow/source/engine/activitiesqueue.cxx.)
The patch producing the "SBSBSB..." SAL_DEBUG output is:
> diff --git a/slideshow/source/engine/activities/simplecontinuousactivitybase.cxx b/slideshow/source/engine/activities/simplecontinuousactivitybase.cxx
> index 5566b5883f78..1f91b341cb97 100644
> --- a/slideshow/source/engine/activities/simplecontinuousactivitybase.cxx
> +++ b/slideshow/source/engine/activities/simplecontinuousactivitybase.cxx
> @@ -118,6 +118,7 @@ namespace slideshow
>
> const double nCurrElapsedTime( maTimer.getElapsedTime() );
> double nT( nCurrElapsedTime / mnMinSimpleDuration );
> + SAL_DEBUG("SBSBSB.1 "<<nCurrElapsedTime<<" "<<mnMinSimpleDuration<<" "<<nT);
>
>
> // one of the stop criteria reached?
> @@ -138,6 +139,7 @@ namespace slideshow
> const double nEffectiveRepeat( isAutoReverse() ?
> 2.0*nRepeatCount :
> nRepeatCount );
> + SAL_DEBUG("SBSBSB.2 "<<nRepeatCount<<" "<<nEffectiveRepeat);
>
> // time (or frame count) elapsed?
> if( nEffectiveRepeat <= nT )
> @@ -149,6 +151,7 @@ namespace slideshow
>
> // clamp animation to max permissible value
> nT = nEffectiveRepeat;
> + SAL_DEBUG("SBSBSB.3 "<<nT);
> }
> }
>
> @@ -165,6 +168,7 @@ namespace slideshow
> // divert active duration into repeat and
> // fractional part.
> const double nFractionalActiveDuration( modf(nT, &nRepeats) );
> + SAL_DEBUG("SBSBSB.4 "<<nFractionalActiveDuration<<" "<<nRepeats);
>
> // for auto-reverse, map ranges [1,2), [3,4), ...
> // to ranges [0,1), [1,2), etc.
> @@ -172,17 +176,20 @@ namespace slideshow
> {
> // we're in an odd range, reverse sweep
> nRelativeSimpleTime = 1.0 - nFractionalActiveDuration;
> + SAL_DEBUG("SBSBSB.5 "<<nRelativeSimpleTime);
> }
> else
> {
> // we're in an even range, pass on as is
> nRelativeSimpleTime = nFractionalActiveDuration;
> + SAL_DEBUG("SBSBSB.6 "<<nRelativeSimpleTime);
> }
>
> // effective repeat count for autoreverse is half of
> // the input time's value (each run of an autoreverse
> // cycle is half of a repeat)
> nRepeats /= 2;
> + SAL_DEBUG("SBSBSB.7 "<<nRepeats);
> }
> else
> {
> @@ -194,6 +201,7 @@ namespace slideshow
> // nT gives the relative simple time, and the
> // integer part the number of full repeats:
> nRelativeSimpleTime = modf(nT, &nRepeats);
> + SAL_DEBUG("SBSBSB.8 "<<nRelativeSimpleTime<<" "<<nRepeats);
>
> // clamp repeats to max permissible value (maRepeats.getValue() - 1.0)
> if( isRepeatCountValid() &&
> @@ -220,12 +228,14 @@ namespace slideshow
> // nRelativeSimpleTime=1.0.
> nRelativeSimpleTime = 1.0;
> nRepeats -= 1.0;
> + SAL_DEBUG("SBSBSB.9 "<<nRelativeSimpleTime<<" "<<nRepeats);
> }
> }
>
> // actually perform something
> // ==========================
>
> + SAL_DEBUG("SBSBSB.10 "<<nRepeats);
> simplePerform( nRelativeSimpleTime,
> // nRepeats is already integer-valued
> static_cast<sal_uInt32>( nRepeats ) );
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190903/e0ba3840/attachment.html>
More information about the Libreoffice-bugs
mailing list